Looking into the PCI compliance checklist? We explain what the 12 requirements of PCI compliance are and how to ensure that you are compliant.
What Is on the PCI Compliance Checklist?
The 12 requirements of PCI compliance are as follows:
- Install and maintain a firewall.
- Do not use default passwords or settings.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data.
- Protect against malware with antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Monitor all access to network resources.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
Why PCI Compliance Matters
PCI (Payment Card Industry) compliance is a set of evolving standards that aims to protect customer information and is a requirement for any organization that processes, stores, or transmits cardholder data.
PCI standards are developed and maintained by the PCI Security Standards Council, which is made up of stakeholders and affiliate members like Amazon, Google, and Square. Outseer closely monitors developments in the compliance space and actively participates on the PCI SSC Board of Advisors.
PCI compliance is not a one-time assessment, either. It is an ongoing process that requires regular evaluations of the systems and procedures organizations have in place to keep cardholder data safe.
The PCI Security Standards Council recently released version 4.0 of its Data Security Standard (DSS), which outlines a set of comprehensive standards for organizations to follow. Among other things, PCI DSS 4.0 is designed to add flexibility for different methodologies and enhance validation methods.
What Are the PCI Compliance Penalties?
The passing grade for PCI compliance is 100%, meaning one missed criterion puts a business in noncompliance, which can result in steep fines and consequences such as the following:
Failure to meet PCI compliance can result in steep fines and consequences that include:
- Fines varying from $5,000 to $100,000 per month
- Increased transaction fees
- Suspension of the non-compliant merchant account
- Increased auditing requirements
- Damage to brand reputation
- $50 to $90 per cardholder whose information is compromised
- Legal costs from lawsuits, settlements, and judgments
This can all add up fast. Today, a data breach of any kind costs US-based companies $9.05 million on average, per incident. And it can go much higher. At $90 per cardholder, for instance, the Capital One breach that exposed personal and payment information of 106 million customers could cost the bank up to $1 billion in cardholder compensation alone.
Who Enforces PCI Compliance?
PCI compliance is enforced by Visa, AmEx, Mastercard, Discover, and JCB International, but ultimately it is up to the organization handling cardholder data to meet PCI standards themselves. With that said, let’s explore exactly what you’ll need to do to meet PCI compliance.
PCI Compliance Checklist
PCI compliance doesn’t have to be complicated. Below we’ve taken each of the 12 PCI requirements and broken them down into simple actionable steps you can take to protect your customers and your business.
Install and Maintain a Firewall
A firewall secures your network traffic from the outside world and acts as a bridge between your internal network and the internet. Without a properly configured firewall, attackers can enter your network and access sensitive information like cardholder data.
Firewall solutions will range depending on your size and networking requirements. Many firewall vendors have a range of models that cater to small businesses and enterprises alike. Firewalls are useless without proper configuration, which means they should be maintained by a system administrator.
- Understand what firewall policies you’ll need to meet PCI compliance.
- Purchase a firewall for each location that handles cardholder data.
- Create a unique username and password for admin access.
- Configure each firewall and validate its settings.
- Regularly patch and maintain the firewall to keep it secure.
Change Default Passwords
Both hardware and software often come with default passwords upon setup. While these default passwords seem convenient, they leave your organization vulnerable to attack. Cybercriminals can crawl the internet and identify different internet-facing applications. With a bit of scripting, attackers can test the default credentials of thousands of devices and systems.
Accounting software, Wi-Fi routers, network switches, and web applications can all be vulnerable to default password attacks.
- Create a list of your hardware and software solutions.
- Audit your hardware and software for default credentials.
- Verify each user account is using a strong nondefault password.
- Maintain documentation of changes.
Protect Stored Cardholder Data
Organizations that store, transmit, or process cardholder data in digital or physical form must take appropriate steps to protect that data. Depending on your business, these steps will vary. For example, stored cardholder data must be secured with strong encryption and truncated when viewed.
- Only retain cardholder data if authorized and necessary for business.
- Identify exactly where payment data is stored.
- Use strong and modern encryption techniques to render data unreadable.
- Use tokenization to further protect stored data.
- Restrict access to cardholder data by limiting access to encryption keys and account logins.
- Truncate or mask the primary account number when the full PAN is not needed.
- Never store cardholder PINs, card validation codes, or the full contents of a magnetic stripe or chip.
Encrypt Transmission of Cardholder Data
Similar to data storage, sensitive cardholder data in transit also must be secured. If left unsecured, plaintext information can be stolen through a variety of attacks.
A common technique attackers use is called packet sniffing, where a small piece of software listens across a network and copies traffic related to credit card payments. If this traffic is left unencrypted, attackers can easily see the contents of these packets and abuse cardholder data.
- Secure data over open or public networks such as the internet, cellular data, Wi-Fi, Bluetooth, GPRS, and Satcom.
- Encrypt data with strong cryptography protocols such as SSL, TLS, SSH, and IPSEC.
- Ensure protocols in use only support secure versions and configurations.
- Disable weak versions of protocols such as SSL v2.0, WEP, and TLS 1.0.
- Only use trusted keys and certificates.
Protect Against Malware
If left unsecured, your network can be vulnerable to malware that silently collects cardholder data and sends its back to the attackers who deployed it. Malware can enter your network through a variety of channels such as email, vulnerable applications, account takeover, USB drives, and malicious links.
To combat this, organizations often take a layered approach to security that includes a firewall, endpoint security, intrusion detection, and vulnerability remediation. At the very minimum organizations should use business anti-malware software that monitors the network and endpoints for threats in conjunction with their firewall.
- Use an email gateway to identify and block phishing scams and malicious links.
- Install business-grade antivirus software on company computers and phones.
- Use intrusion detection systems that monitor the network for malicious behavior.
- Centralize your monitor efforts through 24/7 threat management.
Develop and Maintain Secure Systems and Applications
PCI compliance is an ongoing process that involves conducting self-audits, performing routine security tasks, and designing new procedures. A large part of staying compliant is creating policies and procedures that align with the PCI standard.
Typically, organizations conduct a risk assessment and take note of all the software and hardware that involves cardholder data. Once listed, managers can assign proper access controls, audits, and procedures for staff to follow.
This same process applies to software development, patching, and vulnerability remediation. Organizations use vulnerability scanning tools and remediation teams to ensure systems are patched and PCI compliant.
- Implement a vulnerability disclosure and remediation program.
- Conduct routine self-assessments and compliance audit across your systems.
- Designed policies and procedures for staff that align with PCI compliance requirements.
- Install patches and hotfixes regularly and keep systems up to date.
Restrict Access to Cardholder Data
Cardholder data should only be accessible to those who absolutely need it. Each user should have their own username and password and never log in with a shared or generic account. This is necessary for accurate auditing during a data breach or internal investigation.
This rule extends to physical information as well. PCI compliance rules state that organizations should use appropriate access controls to monitor and limit physical access to cardholder data. This includes keeping records locked and secure, having staff present where PCI information is stored, and using security measures to monitor access.
These steps prevent cardholder information from being stolen, as well as destroyed by unauthorized persons.
- Only grant access to cardholder information to individuals that need it.
- Ensure each account has a unique username and password.
- Never use a shared or generic account.
- Leverage fraud prevention technology to stop account takeover attacks.
- Implement two-factor authentication when possible.
- Conduct physical audits of locks, card readers, and security systems.
Monitor Access to All Network Resources
Networks provide a path to access cardholder data, even when those systems appear segmented. Crafty attackers use various methods to gain access to network resources and computers in order to steal data, impersonate staff, and hijack funds.
A common strategy is for attackers to send phishing messages to staff that have privileged access to cardholder data. These messages are designed to trick the victim into clicking a malicious link or entering their login credentials to a fake site. Criminals use these attacks to plant additional malware, access sensitive systems, and work their way deeper into more secure areas of a network.
- Use risk-based account monitoring to prevent unauthorized access.
- Use a SIEM-based tool to monitor and record network activity.
- Keep an audit of time-stamped network activity for at least one year.
- Assign a staff member to review networking monitoring efforts and system reliability.
Regularly Test Security Systems and Processes
Scheduled testing is crucial to maintaining PCI compliance. Criminals are constantly looking for new loopholes, unpatched systems, and uninformed staff to exploit. Regular testing ensures the systems you put in place are working as expected and cover new devices or applications.
Vulnerability and penetration testing as well as PCI compliance scans can help you stay compliant and prioritize the issues you need to resolve first. External-facing domains and IP addresses must be scanned by a PCI Approved Scanning Vendor.
This scan might determine you need a static IP address or you need to update your TLS to meet compliance. Your system administrator can help you meet these requirements. Internal vulnerability and compliance scans should also be performed quarterly.
- Perform quarterly vulnerability and PCI compliance scans.
- Detect rogue access points by scanning for networks in your areas quarterly.
- Implement penetration testing standards (NIST SP800-115, 800-53, etc.).
- Deploy change detection for security configurations.
- Document how tests should be performed and what to do if there are compliance issues.
Maintain a Policy That Addresses Information Security
PCI compliance should be a company-wide effort with each department and team understanding their roles and responsibilities to meet compliance. this security policy should educate all staff, management, and third parties on how your systems should be handled.
Typically anyone with access to these systems should read and sign access requirements, undergo a background check, and participate in PCI compliance awareness training. These steps greatly reduce the risk that cardholder data will be abused or mishandled internally.
- Create a company information security policy with a PCI compliance partner.
- Require staff to acknowledge and sign the policy.
- Run background checks on staff before allowing access to the company network.
- Conduct annual staff training regarding the policy.
- Review the policy annually to include any new systems or procedures.
Defeat Cybercriminals, Not Your PCI Compliance Policy
Safeguarding your PCI data can feel overwhelming. But with Outseer, you don’t have to go it alone.
Together with Outseer 3-D Secure, which protects more than $195 billion in CNP transaction volumes each year, our products prevents 95% of all fraud loss, with an intervention rate of just 5%. That’s the best performance in the industry bar none.
By seeing what others can’t, we push down potential loss and dial up your ability to meet and maintain the PCI compliance checklist. To learn more, request a free demo today.